These were the alerts most frequently flagged as false positives using Alert Filters last month.
Note that this does not necessarily mean they are false positives, it could mean that the people using ZAP are not interested in these specific vulnerabilities.
| Position | Alert | Status | Rule Type |
|---|---|---|---|
| 1 | Information Disclosure - Suspicious Comments | release | Passive |
| 2 | Session ID in URL Rewrite | release | Passive |
| 3 | Cross-Domain Misconfiguration | release | Passive |
| 4 | X-Content-Type-Options Header Missing | release | Passive |
| 5 | Cookie without SameSite Attribute | release | Passive |
| 6 | Content Security Policy (CSP) Header Not Set | release | Passive |
| 7 | Retrieved from Cache | release | Passive |
| 8 | Strict-Transport-Security Header | release | Passive |
| 9 | Re-examine Cache-control Directives | release | Passive |
| 10 | Timestamp Disclosure - Unix | release | Passive |
| 11 | HTTP Server Response Header | release | Passive |
| 12 | Cross-Domain JavaScript Source File Inclusion | release | Passive |
| 13 | User Agent Fuzzer | release | Active |
| 14 | CSP | release | Passive |
| 15 | Loosely Scoped Cookie | release | Passive |
| 16 | Anti-clickjacking Header | release | Passive |
| 17 | Cookie No HttpOnly Flag | release | Passive |
| 18 | Modern Web Application | release | Passive |
| 19 | Session Management Response Identified | beta | Passive |
| 20 | Permissions Policy Header Not Set | beta | Passive |